Authentication with system users is a deprecated feature. This authentication mechanism is scheduled to be removed in a future release of ADOIT. It is still available for compatibility reasons, but should no longer be used.
The Administration Toolkit provides the possibility to import Windows users into the ADOIT User Management component. These so-called "system users" are imported from the directory service Microsoft Active Directory via the application protocol LDAP. They can be used for secure authentication against the web client and the Administration Toolkit.
System users can log in to the Administration Toolkit without providing a username and password (single sign-on).
Login to the web client requires user name and password.
System users cannot be manually installed.
Imported attributes are read-only.
Other custom attributes can be added and changed later.
To enable login to the web client via single sign-on, you must configure the authentication mechanisms IDM or SAML. For details, please refer to the chapter Authentication Mechanisms of the ADOIT Web Client in the Installation Manual.
Before importing system users into ADOIT, you have to configure the SSO provider. To adapt the settings:
On the Settings menu, click System preferences.
Click the Single Sign-on (SSO) button.
From the Current provider list, select the desired authentication protocol:
If you maintain users in Active Directory, select AD Provider (default selection).
For NTLM user authentication, select NTLM Provider.
In the Default domain box, enter the name of the default domain. For the NTLM Provider, the short DNS name (e.g. “name”) is required. For the AD Provider, the fully-qualified DNS name (e.g. “name.com”) is required.
Optionally, in the LDAP-fields mapping area, adapt the mapping of certain ADOIT user attributes to LDAP attributes. See below for details.
Confirm with OK.
The LDAP-Fields mapping group contains ADOIT user attributes which use a standard mapping to the attributes received from the directory service. For example, the "loginname" has a standard mapping to the field "name" in the LDAP directory.
If you need to use a special mapping (e.g. the standard fields are missing in the LDAP directory) you can define specific fields from the LDAP directory in this group. The fields will be mapped automatically during the user import.
Before the system (Windows domain) users can be used for the authentication, the system user accounts have to be imported into ADOIT. To import system users:
On the User menu, click Import system users.... The configuration dialogue for the system user import appears.
Select one or more user groups for import from the LDAP directory.
Select the Target user group.
Select the repository into which the user groups shall be imported.
Confirm with Import. The data is imported and a confirmation box appears.
Click Show protocol >> to verify if all the selected users and/or user groups have been correctly imported.
Optionally, you can also:
- Click Load system users to make those users visible that are contained in the user groups you have selected to import from the LDAP directory. Now you can choose individual users for the data import.
Loading system users may take a while, depending on the amount of users contained in the groups.
Select Import directory structure to create the sub groups of the LDAP directory in the target user group. Otherwise the LDAP users will be imported into the target user group.
Click Search system users to search for users in the LDAP directory and import them directly. Please refer to the section Search and Import System Users for details.
In the Import System Users dialog box, you can quickly import entire groups of system users from the LDAP directory. However, choosing individual users for the import may take some time, depending on the amount of users contained in the groups.
In order to directly search for users in the LDAP directory and import them without loading user groups:
On the User menu, click Search and import system users.
Click the Locations button to define the root location from which to begin your search.
In the Enter the object names to select (examples) box, type the user names that you want to find. Separate multiple entries with a semicolon (;).
Click the Check Names button to locate all matching or similar user names.
Click OK to import the selected users.
Optionally, you can also:
- Click the Extended button to select advanced search options.
The user attributes of system users (username, first name, email) can be brought up to date using the update function. This function can be carried out for individual users or user groups.
In order to update system users:
Select the users and/or user groups you wish to update in the User Catalogue.
Select context menu — menu entry Update system users. The user data is updated and a confirmation box appears.
Click Show protocol >> to verify if all the selected users and/or user groups have been correctly updated.